The gh-actions-npm-audit from olist77

npm audit found vulnerabilities

# npm audit report

async  2.0.0 - 2.6.3
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
Depends on vulnerable versions of lodash
fix available via `npm audit fix`
node_modules/async
  mongoose  <=5.13.8 || 6.0.0-rc0 - 6.0.3
  Depends on vulnerable versions of async
  Depends on vulnerable versions of bson
  Depends on vulnerable versions of mongodb
  Depends on vulnerable versions of mpath
  Depends on vulnerable versions of mquery
  node_modules/mongoose

base64url  <3.0.0
Severity: moderate
Out-of-bounds Read in base64url - https://github.com/advisories/GHSA-rvg8-pwq2-xj7q
fix available via `npm audit fix`
node_modules/base64url
  ecdsa-sig-formatter  1.0.9
  Depends on vulnerable versions of base64url
  node_modules/ecdsa-sig-formatter
    jwa  <=1.1.5
    Depends on vulnerable versions of base64url
    Depends on vulnerable versions of ecdsa-sig-formatter
    node_modules/jwa
      jws  <=3.1.4
      Depends on vulnerable versions of base64url
      Depends on vulnerable versions of jwa
      node_modules/jws
        jsonwebtoken  <=4.2.2
        Depends on vulnerable versions of jws
        node_modules/jsonwebtoken

bson  <=1.1.3
Severity: high
Deserialization of Untrusted Data in bson - https://github.com/advisories/GHSA-4jwp-vfvf-657p
Deserialization of Untrusted Data in bson - https://github.com/advisories/GHSA-v8w9-2789-6hhr
fix available via `npm audit fix`
node_modules/bson
  mongodb-core  <=3.1.1
  Depends on vulnerable versions of bson
  node_modules/mongodb-core
    mongodb  <=3.1.12
    Depends on vulnerable versions of mongodb-core
    node_modules/mongodb

clean-css  <4.1.11
Regular Expression Denial of Service in clean-css - https://github.com/advisories/GHSA-wxhq-pm8v-cw75
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/clean-css
  jade  >=0.30.0
  Depends on vulnerable versions of clean-css
  Depends on vulnerable versions of constantinople
  Depends on vulnerable versions of mkdirp
  Depends on vulnerable versions of transformers
  node_modules/jade

constantinople  <3.1.1
Severity: critical
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople - https://github.com/advisories/GHSA-4vmm-mhcq-4x9j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/constantinople

dicer  *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/dicer
  busboy  <=0.3.1
  Depends on vulnerable versions of dicer
  node_modules/busboy
    express-fileupload  <=1.3.1
    Depends on vulnerable versions of busboy
    node_modules/express-fileupload
    multer  <=2.0.0-rc.3
    Depends on vulnerable versions of busboy
    Depends on vulnerable versions of mkdirp
    node_modules/multer


helmet-csp  1.2.2 - 2.9.0
Severity: moderate
Configuration Override in helmet-csp - https://github.com/advisories/GHSA-c3m8-x3cg-qm2c
fix available via `npm audit fix`
node_modules/helmet-csp
  helmet  2.1.2 - 3.20.1
  Depends on vulnerable versions of helmet-csp
  node_modules/helmet

js-yaml  <=3.13.0
Severity: high
Denial of Service in js-yaml - https://github.com/advisories/GHSA-2pr6-76vf-7546
Code Injection in js-yaml - https://github.com/advisories/GHSA-8j8c-7jfh-h6hx
fix available via `npm audit fix`
node_modules/js-yaml

lodash  <=4.17.20
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix`
node_modules/lodash
  express-validator  0.2.0 - 6.4.1
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of validator
  node_modules/express-validator

mime  <1.4.1
Severity: moderate
Regular Expression Denial of Service in mime - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/mime
  send  <=0.15.6
  Depends on vulnerable versions of mime
  node_modules/send
    express  3.0.0-alpha1 - 4.15.5 || 5.0.0-alpha.1 - 5.0.0-alpha.6
    Depends on vulnerable versions of send
    Depends on vulnerable versions of serve-static
    node_modules/express
    serve-static  <=1.12.6
    Depends on vulnerable versions of send
    node_modules/serve-static

minimist  <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/mkdirp
    mv  
    Depends on vulnerable versions of mkdirp
    node_modules/mv

moment  <=2.29.3
Severity: high
Path Traversal: 'dir/../../filename' in moment.locale - https://github.com/advisories/GHSA-8hfj-j24r-96c4
Inefficient Regular Expression Complexity in moment - https://github.com/advisories/GHSA-wc69-rhjr-hc9g
fix available via `npm audit fix`
node_modules/moment
  bunyan  
  Depends on vulnerable versions of moment
  node_modules/bunyan



morgan  <1.9.1
Severity: moderate
Code Injection in morgan - https://github.com/advisories/GHSA-gwg9-rgvj-4h5j
fix available via `npm audit fix`
node_modules/morgan

mpath  <=0.8.3
Severity: critical
Type confusion in mpath - https://github.com/advisories/GHSA-p92x-r36w-9395
Prototype Pollution in mpath - https://github.com/advisories/GHSA-h466-j336-74wx
fix available via `npm audit fix`
node_modules/mpath

mquery  <3.2.3
Severity: moderate
Code Injection in mquery - https://github.com/advisories/GHSA-45q2-34rf-mr94
fix available via `npm audit fix`
node_modules/mquery

node-serialize  *
Severity: critical
Code Execution through IIFE in node-serialize - https://github.com/advisories/GHSA-q4v7-4rhw-9hqm
No fix available
node_modules/node-serialize

uglify-js  <=2.5.0
Severity: critical
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - https://github.com/advisories/GHSA-34r7-q49f-h37c
Regular Expression Denial of Service in uglify-js - https://github.com/advisories/GHSA-c9f4-xj24-8jqx
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/transformers/node_modules/uglify-js
  transformers  2.0.0 - 3.0.1
  Depends on vulnerable versions of uglify-js
  node_modules/transformers

validator  <13.7.0
Severity: moderate
Inefficient Regular Expression Complexity in validator.js - https://github.com/advisories/GHSA-qgmg-gppg-76g5
fix available via `npm audit fix`
node_modules/validator

38 vulnerabilities (1 low, 17 moderate, 10 high, 10 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.
olist77 / gh-actions-npm-audit Goto Github PK

gh-actions-npm-audit's People

Contributors

Watchers

gh-actions-npm-audit's Issues

npm audit found vulnerabilities

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent
